🎓 The Incident Unfolds at Sapienza University

On February 2, 2026, Sapienza University of Rome, known as Università degli Studi di Roma "La Sapienza," Europe's largest university by enrollment with over 120,000 students, fell victim to a major cyberattack. This ancient institution, founded in 1303 and one of the oldest universities in continuous operation worldwide, experienced a sudden and complete disruption of its IT infrastructure. Reports quickly emerged indicating a suspected ransomware attack, forcing the university to take drastic measures by shutting down all network systems to prevent further damage.

The attack began early that Sunday morning, targeting critical systems including the university's website, email services, and the Infostud student management platform. Within hours, students attempting to book exams or access course materials found themselves locked out. Faculty members could no longer communicate digitally, and administrative tasks ground to a halt. The university's official communications shifted to social media platforms like Instagram, where initial updates confirmed the precautionary shutdown "to ensure the integrity and security of data."

As days passed, the outage persisted, with the main website remaining inaccessible even as of February 8. This event highlights the vulnerability of large academic institutions to sophisticated cyber threats, especially in an era where digital tools underpin nearly every aspect of university life.

Understanding Ransomware Attacks Like the One on Sapienza

Ransomware is a type of malicious software designed to encrypt victims' files, rendering them inaccessible until a ransom—typically in cryptocurrency like Bitcoin—is paid for the decryption key. In the case of Sapienza University cyberattack, investigators pointed to Bablock (also known as BabLock or Rorschach), a next-generation ransomware strain first identified in 2023. This malware borrows code from notorious families such as Babuk, LockBit 2.0, and DarkSide, enabling rapid encryption and evasion of common defenses.

What sets Bablock apart is its customization options and speed, making it particularly destructive. It often avoids encrypting systems in Russian or post-Soviet languages, a trait suggesting ties to pro-Russian actors—a detail that fueled speculation about the perpetrators. For universities like Sapienza, which manage vast repositories of sensitive data including student records, research findings, and personal information, such attacks can paralyze operations and pose long-term privacy risks.

The hackers, tracked as the Femwar02 group, reportedly issued a ransom demand via a link featuring a 72-hour countdown timer, activated only upon clicking. Media outlets speculated the amount at around one million euros, though neither the university nor authorities have confirmed opening the link or any payment intentions. This tactic is common in ransomware operations, pressuring victims into hasty decisions while investigators work behind the scenes.

Immediate Operational Disruptions and Daily Challenges

The Sapienza University ransomware attack triggered widespread chaos across its sprawling Roman campuses. Core services like Infostud, used for exam registrations, tuition payments, and academic transcripts, were rendered unusable. Email communications were partially restricted, forcing reliance on physical notices and impromptu infopoints—temporary help desks set up at key campus locations.

Administrative processes reverted to analog methods: paper forms for exam sign-ups, manual verification of payments, and in-person coordination with professors. Deadlines for degree applications were postponed, and second-semester tuition deadlines for new master's students extended. Lessons, particularly for graduate programs, shifted to mandatory in-person attendance.

• Website and internal portals: Completely offline, blocking access to resources.
• Exam bookings: Handled directly with faculty via paper lists.
• Research data access: Limited, raising concerns for ongoing projects.
• Library systems: Potentially affected, though physical collections remained available.

Over 400 servers were impacted, underscoring the scale. Students expressed frustration on social media, with some humorously noting a return to "1990s-style pen and paper" operations, while others worried about the fate of their personal data.

📊 Impacts on Students, Faculty, and Research

For Sapienza's 122,000 students—spanning undergraduates to PhD candidates—the outage disrupted academic progress at a critical juncture. Mid-semester exams proceeded but required manual enrollments, complicating schedules. International students, reliant on digital visa and enrollment portals, faced additional hurdles in a foreign language environment.

Faculty members, including renowned researchers in fields like medicine, engineering, and humanities, lost access to shared drives and collaboration tools. This could delay publications and grant applications, vital for academic careers. Administrators struggled with payroll, hiring, and compliance tasks, echoing broader concerns in higher education where digital dependency has grown exponentially.

In the wider context, such incidents remind professionals seeking higher education jobs in Italy or Europe of the need for resilient institutions. Research continuity is paramount, and disruptions like this highlight risks to intellectual property.

University Response and Collaboration with Authorities

Sapienza's leadership acted swiftly, forming a technical task force and notifying Italy's National Cybersecurity Agency (ACN) and the Polizia Postale. The unified response involved student representatives and administrative bodies to evaluate extensions and flexible arrangements. Backups, confirmed unaffected, are being used for gradual restoration following rigorous security tests.

Updates via Instagram detailed progress: first services expected online within hours post-testing, followed by Infostud and workstations. No evidence of widespread data exfiltration has been confirmed, but vigilance against phishing remains high. The university emphasized protecting careers amid the crisis, a proactive stance praised in Italian media.

Attribution, Investigations, and Ransom Dynamics

Italian newspaper Corriere della Sera and cybersecurity outlets attributed the Sapienza cyberattack to Femwar02, a previously obscure pro-Russian crew. The ACN and specialized forensics teams are probing potential data theft, with fears of sensitive records surfacing on dark web forums. For deeper insights, refer to detailed analyses in the Security Affairs report and Bleeping Computer coverage.

Ransomware groups like this often sell stolen data if ransoms go unpaid, amplifying long-term risks. Sapienza's decision not to engage the ransom link exemplifies best practices endorsed by global cybersecurity frameworks.

Comparisons to prior attacks, such as Eindhoven University of Technology in 2025, reveal a pattern targeting European academia for high-value data.

🔒 Broader Implications for Global Higher Education

The Sapienza University ransomware incident is part of a surging trend in higher education cybersecurity threats. Educational institutions hold troves of personal data, research IP, and face budget constraints limiting defenses—making them prime targets. In 2025 alone, ransomware attacks on universities rose by over 30%, per industry reports.

This event underscores needs for enhanced resilience in academia. Institutions worldwide can learn from it, particularly those hiring for IT security roles via platforms like university jobs. For related trends, see our coverage on cybersecurity evolution in higher ed.

European universities, integral to research hubs like the EU's Horizon Europe program, face amplified geopolitical risks amid tensions.

Actionable Cybersecurity Best Practices for Universities

To prevent repeats of the La Sapienza ransomware attack, universities should adopt multi-layered defenses:

• Implement regular backups (3-2-1 rule: 3 copies, 2 media types, 1 offsite) tested frequently.
• Conduct phishing simulations and employee training, as human error enables 90% of breaches.
• Deploy endpoint detection and response (EDR) tools with AI-driven anomaly detection.
• Segment networks to contain lateral movement by attackers.
• Develop incident response plans with tabletop exercises involving stakeholders.

For faculty and admins, personal vigilance includes multi-factor authentication (MFA) and monitoring for unusual activity. Explore career advice for roles in secure academic environments.

For in-depth recovery strategies, check TechCrunch's analysis and Times Higher Education.

Photo by Philipp Tükenmez on Unsplash

Outlook: Recovery and Fortifying Academic Futures

As Sapienza inches toward recovery, optimism surrounds its robust backups and expert support. Full restoration may take weeks, but lessons will bolster defenses. This cyberattack reinforces the imperative for proactive cybersecurity in higher education.

Professionals navigating academia can share experiences at Rate My Professor or pursue opportunities at higher ed jobs. Stay informed via higher ed career advice, university jobs, and post a job to build resilient teams. Have your say in the comments below—what steps should universities take next?